Open in app

Sign in

Write

Sign in

Porn sites have a privacy problem

Inti De Ceukelaire
7 min readDec 12, 2016

--

https://inti.io/porncheck

I bet most porn site users would like to remain anonymous.
Unfortunately, it only takes a couple of seconds to expose them. The majority of porn websites are vulnerable by design and we need to change that.

Last month, I read about a data breach of worlds #3 biggest porn sites xHamster. With 380,000 leaked passwords and e-mail addresses, the breach only accounts for a small amount of the website’s global 12 million members, but included more than 70 accounts related to government bodies in the US and the UK.

Staggered by the number of users that used their personal e-mail addresses to sign up, I wondered how many people I personally know would do the same. If you’re one of them and we ever got in touch: don’t worry, I won’t publish my ‘findings’ — but you, and a lot of other users, will have to take some action before things get a little too awkward.

I found that there are three different ways to check someone’s presence in a porn community:

1. The login page

Some login pages will simply tell you whether an e-mail is already taken, most sites however only check for the combination of an email and a password, so both existing and non existing e-mails will return something like ‘incorrect password’ upon a failed login attempt.

Bad: XHamster (Left) — Good: Pornhub (Right)

I tested world’s #5 most popular pornographic website with an active user community and came to the following results:

Only XHamster loses this round

2. The “forgot password” page

More websites start to lose protection as soon as we click the “Forgot password” link on the previous page:

Bad: YouPorn (Left) — Good: Pornhub (Right)

Pornhub was the only website to survive this test:

Is there a way to unveil Pornhub users? We’ll find out soon.

3. The register page

As far as the login and password forgot page goes, PornHub passed the test. But what if we would simply try to register with an e-mail that has already been taken?

…And there goes Pornhub

Even though Pornhub did amazing with previous test, it was not able to hide the presence of an e-mail address in the registration form.
Game over for all players:

Not a single porn site is able to hide your presence

Okay, so what?

Some of you may think:

“Who would even bother to check if my e-mail address is registered on a porn site?”

Using traditional methods: probably nobody. Unless you’re someone very important person or your partner is very suspicious.

Using my methods: possibly anyone in your contact list reading this.

Constantly checking e-mail addresses for an occasional match would be a tiresome and boring job that would take days to complete. I made a tool that does this in a couple of seconds:

https://inti.io/porncheck/

Go ahead and try it. It works. I tried this with my own Gmail contacts and got two matches of people I personally know. A friend of mine also got curious and found three matches in his contact list.

Note that this is not an attack on porn sites, nor its users.
It is merely a warning message: we have no idea how easily our dirty little secrets can be revealed if we don’t pay attention. I could’ve also written this blog article without the tool — but would you even care if that were the case? Would you even be reading it right now? Now that I got your attention, I can present my solution and spread some awareness:

Looking for a solution

Both the porn sites and their users should take action.

In first place you should never sign up for an account on a porn site with an e-mail address that can be traced back to you — but that’s not as easy as it may sound. While most people don’t sign up with their firstname.lastname e-mail address, they may use an old e-mail account that doesn’t directly relate to their name.

In the early days of the internet you may have registered an e-mail such as fluffybunny4@hotmail.com because it sounded pretty cool back then. Nowadays it has become your junk e-mail address you occasionally use for contests, games or things you don’t really want your name associated with. I assume porn sites would fit in this last category.

Sounds safe. Right?

I challenge you. Take your old junk e-mail address and run it through a Google search:

My old e-mail address mentioned in a Dutch newspaper article. Waiting for someone to register it on XHamster.

If no interesting results show up, just enter the e-mail address in the Facebook search. If Google doesn’t help, Facebook most likely does:

It only takes a second to check who’s behind an ‘anonymous’ e-mail alias. Thanks, Facebook!

Unless porn site users have a dedicated e-mail address linked to their account, they’re pretty much, well.. f*cked.

For porn sites, this is merely a UX problem: how woud you prevent duplicate accounts without being able to cancel the registration process when an e-mail is already registered? Websites show nothing instead of the ‘E-mail already exists’ dialog, but that’s not something I woud call user friendly.

Ashley Maddison, a dating website focussed on extramarital affairs, only needs a unique username upon signing up: multiple users can have the same e-mail account. This also means that you can’t sign in with your e-mail address, which would mean that you’d have to remember a unique username for every website. That doesn’t scale, right?

Another approach could be displaying something like

“Thank you for registering, please check your e-mail account”

And then sending a password reset e-mail when the e-mail address already exists, and a signup confirmation link if not. I believe this is the best solution to deal with this matter.

As an alternative solution, you can simply accept the fact that other people may track your porn memberships. Who are they to judge, after all?

If you liked this article or want to share your solutions, make sure to leave a comment below.

If you liked this article, you can follow me on Twitter or Facebook.

FAQ

  • What’s the problem?
    Most porn websites disclose whether e-mails are present in their database. Using a simple automated tool at https://inti.io/porncheck, it is only a matter of seconds to check if one of your contacts is active on a porn website.
  • How does it work?
    The tool uses xHamser’s sign up form to check if an e-mail already exists. It does not create any accounts. It just checks if an e-mail address is taken.
  • ..but nobody uses their personal e-mail addresses for these things. Right?
    Wrong. Several data breaches point out that people do use their personal e-mail or even their professional e-mail address. Some people also use old e-mail addresses which can easily be tracked back to their owner (see: looking for a solution).
    When I ran the test for my contact list initially, I also did not expect two of my contacts had used their personal and work e-mail to register. The only way to find out is to do the check.
  • What can I do to prevent this from happening to me?
    Only use dedicated anonymous e-mail addresses for porn sites. You can use disposable e-mail addresses like GuerillaMail, 10 Minute Mail or Mailinator.
  • How many accounts can be discovered using this tool?
    I don’t have the exact numbers but I suppose it’d be around 12 million users, the global user count of xHamster.
  • Why xHamster and not the other ones?
    xHamster failed all three tests and was the easiest to integrate. I didn’t want to include them all either because I don’t want it to become a mass porn surveillance tool: I don’t mean to shame porn site users in any way. I just want to spread awareness so one website will do.
  • Why is there a limit on the amount of e-mails we can scan at a time?
    As mentioned in the previous question, I don’t want this to be a mass porn surveillance tool. The limit also helps reducing the traffic for the porn site.
  • Do you store the e-mails?
    No. The application itself running entirely in your browser, which means that you can simply inspect the code and see for yourself. The tool does send a small request to xHamster’s server asking if a record is present in their database. Obviously I have no insights in what they do with this information query other than checking if it is present or not.
  • What’s wrong with porn?
    Absolutely nothing. This is not an attack on porn sites or viewers, but merely a wake-up call for those who think they are anonymous online.
  • Who are you?
    I’m Inti and I live in Oilsjt, Belgium — the country known for its beer, fries, chocolate and terrorists. As a kid, I was extremely skilled at breaking stuff. I’m 21 now, student, and still doing more or less the same being an ethical hacker with references as Google, Facebook, Microsoft, Yahoo and so on.

If you liked this article, make sure to follow me on Twitter: @securinti(English) and @intidc (Dutch)

Security
Tech

--

--

Inti De Ceukelaire

Written by Inti De Ceukelaire

5K Followers

Hacker @securinti | Head of Hackers @intigriti

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams